Ubuntu
ntp package

AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

Bug #1598759 reported by knz on 2016-07-04

This bug affects 9 people

	Status	Importance	Assigned to
AppArmor	Triaged	High	Unassigned
apparmor (Ubuntu)	Fix Released	High	Tyler Hicks
Yakkety	Fix Released	High	Tyler Hicks
ntp (Ubuntu)	Invalid	High	Joshua Powers
Yakkety	Invalid	High	Joshua Powers

Bug Description

[ Impact ]

Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution.

[ Test Case ]

* Use ntpd to test:
  $ sudo apt-get install -y ntp
  ...
  $ sudo systemctl stop ntp

# in another terminal, watch for AppArmor denials
$ dmesg -w

# in the original terminal, start ntp
$ sudo systemctl start ntp

# You'll see a number of denials on the system_bus_socket file:
audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0

* Use tcpdump to test:

# Capture traffic on whichever network interface you're currently using
$ sudo tcpdump -i eth0

# Look in /var/log/syslog for denials on the system_bus_socket file:
audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution.

[ Regression Potential ]

This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved.

[ Original bug description ]

On this plain install of Xenial apparmor complains about ntpd:

[ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0

Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem:

#include <abstractions/dbus-strict>

See original description

Tags:

knz (knz) on 2016-07-04

summary:

- missing apparmor definition for ntpd
+ incomplete apparmor definition for ntpd

Revision history for this message

dino99 (9d9) wrote on 2016-08-03: Re: incomplete apparmor definition for ntpd

Seeing this problem now with apparmor 2.10.95-4ubuntu3 on yakkety

kernel: [ 38.160420] audit: type=1400 audit(1470204773.635:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 39.076124] audit: type=1400 audit(1470204774.551:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 40.076112] audit: type=1400 audit(1470204775.551:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 41.084971] audit: type=1400 audit(1470204776.560:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 42.097404] audit: type=1400 audit(1470204778.059:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 42.113042] audit: type=1400 audit(1470204778.075:32): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0

tags:

added: xenial yakkety

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-08-03:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status:	New → Confirmed
Changed in ntp (Ubuntu):
status:	New → Confirmed

Robie Basak (racb) on 2016-08-10

Changed in ntp (Ubuntu):
importance:	Undecided → High
tags:	added: bitesize

Robie Basak (racb) on 2016-08-10

Changed in ntp (Ubuntu):
assignee:	nobody → Joshua Powers (powersj)

Alberto Salvia Novella (es20490446e) on 2016-08-30

Changed in apparmor (Ubuntu):
importance:	Undecided → High

Revision history for this message

dino99 (9d9) wrote on 2016-08-31:

yakkety is no more affected: the "DENIED" apparmor logs are gone now (#1)
and ntpd works as expected.

tags:

removed: yakkety

Revision history for this message

Joshua Powers (powersj) wrote on 2016-08-31:

dinno99,

Any objection then to closing this as fixed?

Revision history for this message

dino99 (9d9) wrote on 2016-08-31:

@Joshua

i've just commented about my own initial #1 comment above and the related 'DENIED' logged.
That report is not mine anyway, and the subject is way more wider (as i understand it); and probably needs to check 'possible' "incomplete apparmor definition" as reported.

The OP seems to point some 'dbus' header
Maybe that was a transitional problem on his side; but he has not commented back.

Revision history for this message

knz (knz) wrote on 2016-08-31:

I'm the initial OP. What am I supposed to do here?

Revision history for this message

Joshua Powers (powersj) wrote on 2016-08-31:

knz,

I originally, and incorrectly, assumed dinno99 was the OP. If you could update your xenial install to see if the bug still exists that would be good. I'll do the same tomorrow.

Revision history for this message

Joshua Powers (powersj) wrote on 2016-09-07:

@knz, can you verify this still exists on your system and if so:

* Provide the version of ntp and apparmor you are using
* Command or what you do to get the error to show up

I was unable to reproduce on both xenial and yakkety. The versions I had available to me are below and the only DENIED messages from /var/log/kern.log are below in each instance when I ran 'sudo ntpd'

yakkety
---
powersj@ubuntu:/var/log$ dpkg -l | grep ntp
ii ntp 1:4.2.8p8+dfsg-1ubuntu1 amd64 Network Time Protocol daemon and utility programs
powersj@ubuntu:/var/log$ dpkg -l | grep apparmor
ii apparmor 2.10.95-4ubuntu4 amd64 user-space parser utility for AppArmor

Sep 7 17:44:17 ubuntu kernel: [ 138.147239] audit: type=1400 audit(1473284657.365:17): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 7 17:44:17 ubuntu kernel: [ 138.147316] audit: type=1400 audit(1473284657.365:18): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

xenial
---
ubuntu@xenial:~$ dpkg -l | grep ntp
ii ntp 1:4.2.8p4+dfsg-3ubuntu5.1 amd64 Network Time Protocol daemon and utility programs
ubuntu@xenial:~$ dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.2 amd64 user-space parser utility for AppA

Sep 7 22:04:18 ubuntu kernel: [ 60.182587] audit: type=1400 audit(1473285858.665:15): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 7 22:04:18 ubuntu kernel: [ 60.182675] audit: type=1400 audit(1473285858.665:16): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

@knz, can you verify this still exists on your system and if so:

* Provide the version of ntp and apparmor you are using
* Command or what you do to get the error to show up

yakkety
---
powersj@ubuntu:/var/log$ dpkg -l | grep ntp
ii  ntp                                  1:4.2.8p8+dfsg-1ubuntu1           amd64        Network Time Protocol daemon and utility programs
powersj@ubuntu:/var/log$ dpkg -l | grep apparmor
ii  apparmor                             2.10.95-4ubuntu4                  amd64        user-space parser utility for AppArmor

Sep  7 17:44:17 ubuntu kernel: [  138.147239] audit: type=1400 audit(1473284657.365:17): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep  7 17:44:17 ubuntu kernel: [  138.147316] audit: type=1400 audit(1473284657.365:18): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=2179 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

xenial
---
ubuntu@xenial:~$ dpkg -l | grep ntp
ii  ntp                              1:4.2.8p4+dfsg-3ubuntu5.1       amd64        Network Time Protocol daemon and utility programs
ubuntu@xenial:~$ dpkg -l | grep apparmor
ii  apparmor                         2.10.95-0ubuntu2.2              amd64        user-space parser utility for AppA

Sep  7 22:04:18 ubuntu kernel: [   60.182587] audit: type=1400 audit(1473285858.665:15): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep  7 22:04:18 ubuntu kernel: [   60.182675] audit: type=1400 audit(1473285858.665:16): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=3265 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Changed in ntp (Ubuntu):
status:	Confirmed → Incomplete
Changed in apparmor (Ubuntu):
status:	Confirmed → Incomplete

Revision history for this message

Jon Skarpeteig (jskarpet) wrote on 2016-10-11:

#10

Download full text (5.6 KiB)

I am suffering from a similar issue, but with slightly different behavior

<pre>
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]: * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd 4.2.8p4@1.3265-o Wed Oct 5 12:34:45 UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]: ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.696:24): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:25): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:26): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(1476174211.356:27): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
# apt-cache policy apparmor
apparmor:
  Installed: 2.10.95-0ubuntu2.2
  Candidate: 2.10.95-0ubuntu2.2
  Version table:
*** 2.10.95-0ubuntu2.2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# apt-cache policy ntp
ntp:
  Installed: 1:4.2.8p4+dfsg-3ubuntu5.3
  Candidate: 1:4.2.8p4+dfsg-3ubuntu5.3
  Version table:
*** 1:4.2.8p4+dfsg-3ubuntu5.3 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.8p4+dfsg-3ubuntu5 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap...

I am suffering from a similar issue, but with slightly different behavior

<pre>
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]:  * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd 4.2.8p4@1.3265-o Wed Oct  5 12:34:45 UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]:    ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.696:24): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:25): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:26): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(1476174211.356:27): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
# apt-cache policy apparmor
apparmor:
  Installed: 2.10.95-0ubuntu2.2
  Candidate: 2.10.95-0ubuntu2.2
  Version table:
 *** 2.10.95-0ubuntu2.2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# apt-cache policy ntp
ntp:
  Installed: 1:4.2.8p4+dfsg-3ubuntu5.3
  Candidate: 1:4.2.8p4+dfsg-3ubuntu5.3
  Version table:
 *** 1:4.2.8p4+dfsg-3ubuntu5.3 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.8p4+dfsg-3ubuntu5 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pool.ntp.org iburst
driftfile /var/lib/ntp/drift
# cat /etc/apparmor.d/usr.sbin.ntpd
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2009-2012 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

capability ipc_lock,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  capability sys_time,
  capability sys_nice,

# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
  network dgram,
  network stream,

@{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{NTPD_DEVICE} rw,
  # pps devices are almost exclusively used with NTP
  /dev/pps[0-9]* rw,

/{,s}bin/      r,
  /usr/{,s}bin/  r,
  /usr/sbin/ntpd rmix,

/etc/ntp.conf r,
  /etc/ntp.conf.dhcp r,
  /etc/ntpd.conf r,
  /etc/ntpd.conf.tmp r,
  /var/lib/ntp/ntp.conf.dhcp r,

/etc/ntp.keys r,
  /etc/ntp/** r,

/etc/ntp.drift rwl,
  /etc/ntp.drift.TEMP rwl,
  /etc/ntp/drift* rwl,
  /var/lib/ntp/*drift rw,
  /var/lib/ntp/*drift.TEMP rw,

/var/log/ntp w,
  /var/log/ntp.log w,
  /var/log/ntpd w,
  /var/log/ntpstats/clockstats* rwl,
  /var/log/ntpstats/loopstats*  rwl,
  /var/log/ntpstats/peerstats*  rwl,
  /var/log/ntpstats/protostats* rwl,
  /var/log/ntpstats/rawstats*   rwl,
  /var/log/ntpstats/sysstats*   rwl,

/{,var/}run/ntpd.pid w,

# samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,

# For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though
  # this can be considered dangerous. See https://launchpad.net/bugs/722815
  # for details. To enable, add this to local/usr.sbin.ntpd:
  #     capability ipc_owner,

# Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.ntpd>
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-11: Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolve

#11

I can reproduce this in yakkety with ntp 1:4.2.8p8+dfsg-1ubuntu2 and apparmor 2.10.95-4ubuntu5. It is due to Yakkety's use of systemd-resolved, which is used by the nss-resolve plugin to resolve hostnames.

summary:

- incomplete apparmor definition for ntpd
+ AppArmor nameservice abstraction doesn't allow communication with
+ systemd-resolve

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-11:

#12

The correct fix for this issue is in AppArmor's nameservice abstraction. Marking the ntp task as invalid as there's no change needed for the ntp package itself.

Changed in ntp (Ubuntu):
status:	Incomplete → Invalid
Changed in apparmor (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)
status:	Incomplete → Triaged
summary:	AppArmor nameservice abstraction doesn't allow communication with - systemd-resolve + systemd-resolved
Changed in apparmor:
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Tyler Hicks (tyhicks)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-11:

#13

Fix sent upstream for review: https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-11:

#14

I forgot to mention what brought me to this bug. I am seeing this denial when running tcpdump in Ubuntu Yakkety:

apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

After pulling the dbus-strict abstraction into the tcpdump profile, I then see this denial:

pid=2204 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="ResolveAddress" mask="send" name="org.freedesktop.resolve1" pid=25438 label="/usr/sbin/tcpdump" peer_pid=2471 peer_label="unconfined"

My proposed fix grants access to the ResolveAddress, ResolveHostname, ResolveRecord, and ResolveService methods of the D-Bus API.

Tyler Hicks (tyhicks) on 2016-10-12

description:

updated

Revision history for this message

dino99 (9d9) wrote on 2016-10-12:

#15

@Tyler

comment about the #14 above

i've reported against the 'kernel' the same issue output (but linux could be the false package; i'm not sure at all)

Bug #1628835

Revision history for this message

Martin Pitt (pitti) wrote on 2016-10-13: Please test proposed package

#16

Hello knz, or anyone else affected,

Accepted apparmor into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Yakkety):
status:	Triaged → Fix Committed
tags:	added: verification-needed

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-13:

#17

This change looks to be working as expected. I've done the manual verification in the bug description and I've also went through the desktop/server related portions of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor.

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-13:

#18

We've decided not to merge this patch in the upstream AppArmor project at this time because most distros don't have the ability to perform fine-grained mediation of D-Bus communications and this change would grant full system bus access to network-facing daemons in those distros.

Changed in apparmor:
assignee:	Tyler Hicks (tyhicks) → nobody
status:	In Progress → Triaged

Christian Boltz (cboltz) on 2016-10-13

tags:

added: aa-policy

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-10-20:

#19

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---------------
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

  * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
    profiles that make use of the nameservice abstraction should be allowed to
    communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
    configured to use nss-resolve which then communicates with
    systemd-resolved's D-Bus API. (LP: #1598759)

-- Tyler Hicks <email address hidden> Wed, 12 Oct 2016 01:47:06 +0000

Changed in apparmor (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-10-20:

#21

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---------------
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

-- Tyler Hicks <email address hidden> Wed, 12 Oct 2016 01:47:06 +0000

Changed in apparmor (Ubuntu Yakkety):
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2016-10-20: Update Released

#20

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

John Johansen (jjohansen) on 2017-01-31

Changed in apparmor:
status:	Triaged → Fix Released

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-01-31:

#22

This isn't fixed in AppArmor upstream. As an upstream, we decided against taking in this policy update until the patches to perform D-Bus mediation have landed in the upstream kernel. Without those patches, we'd be granting full access to the D-Bus system bus socket from the very commonly used namespace abstraction.

Changed in apparmor:
status:	Fix Released → Triaged

Revision history for this message

DimkaS (dimka-rs) wrote on 2017-02-10:

#23

Still present for me

[176007.813051] audit: type=1400 audit(1486720189.738:122): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

[179389.232131] audit: type=1400 audit(1486723571.310:133): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=17305 comm="evince" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"

Not sure if it affects something.

Revision history for this message

Václav Haisman (vzeman79) wrote on 2017-07-23:

#24

Still true for Zesty.

tags:

added: zesty

Revision history for this message

intrigeri (intrigeri) wrote on 2017-08-05:

#25

FWIW current Ubuntu citrain branch seems to apply exactly the same patch twice for some reason:

debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch

Not sure what's going on, but anyway we don't apply this patch in Debian so this only affects the Ubuntu-specific bits of the packaging.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-08-07:

#26

@intrigeri - you're right. I'll fix this in the citrain branch and in 2.11.0-2ubuntu14.

Revision history for this message

Roel Van de Paar (roel11) wrote on 2017-08-25:

#27

[175882.466186] audit: type=1400 audit(1503640503.535:62): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince" name="/run/systemd/journal/socket" pid=7704 comm="evince" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

Same here (17.04)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuntp package

AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
ntp package